That had already prompted a number of privacy concerns, with the toy - and, particularly, the interactive services powered by ToyTalk - facing criticisms from the Campaign for a Commercial-Totally free Childhood (CCFC) who suspected it of feeding marketable information back to advertisers.
Now, though, it Santa Letters is the digital security of the Hello Barbie itself that has come under fire. Researchers BlueBox dug by means of the companion app and the server-side services, obtaining a quantity of potentially perilous weaknesses.
For instance, the doll will hyperlink up to any unsecured WiFi network hosted by a mobile guidance, just as long as it has "Barbie" in the network name, and the authentication credentials can be reused. The firm admitted that data on millions of parents and young children had been exposed because of flaws in its app server, whilst other researchers have taken the firm to job on inherent flaws in its low-expense gadgets.
One such project found that all user information a youngster saved on a VTech tablet was stored on a removable microSD card, and could nevertheless be accessible if the toy was lost, sold, or stolen.
The Hello Barbie revelations are probably to draw greater interest to the security - or absence of - around connected and World wide web of Issues devices, concerning provided the rising number of web-enabled gadgets discovered in the typical sensible property. On the server, meanwhile, there are weaknesses in certificate authentication credentials, and ToyTalk's server domain was found to be running on infrastructure with known attack weaknesses. Hello Barbie, hello an additional kid security nightmare - SlashGear
Connected little ones toys continue to face expanding pains, with Mattel's Hello Barbie the most current to show worrying flaws that could leave kids exposed to hacks. The talking, WiFi-connected doll was announced earlier this year, as Mattel attempted to bring Santa Letters its iconic dress-up toy into the 21st century by enabling her to react to and learn from the child playing with her.
Story TimelineHello Barbie offers iconic doll some Siri-style sassMattel beneath fire in Hello Barbie privacy fight. Nonetheless, some of the potential applications of the hacked toy were disturbing.
For instance, hackers could have accessed recordings of conversations held with the Hello Barbie doll by a child.
Patchy security for devices intended to be utilised by children has been in the headlines lately, following the higher-profile hack of toy tablet manufacture VTech.
Some of the code in the app "serves no function but increases the general attack surface," BlueBox's researchers say.
BlueBox informed ToyTalk of the findings just before releasing them publicly, and say Letter from Santa that many of the troubles have, as a result, been fixed